Home Explore Help
Sign In
bat9go
/
Ycsecurity
mirror of https://github.com/yandex-cloud/yc-solution-library-for-security
Watch 1
Star 0
Fork 0
Files Issues 0 Wiki
Branch: fix-typos
Branches Tags
Ycsecurity
/
network-sec
/
remote-access-vpn
/
firezone
/
compute.tf

compute.tf 2.2 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 
  1. // Create ssh keys for compute resources
    2. 

  2. resource "tls_private_key" "ssh" {
    3. 

  3.   algorithm = "RSA"
    4. 

  4.   rsa_bits  = "2048"
    5. 

  5. }
    6. 

  6. 

  7. resource "local_file" "private_key" {
    8. 

  8.   content         = tls_private_key.ssh.private_key_pem
    9. 

  9.   filename        = "pt_key.pem"
    10. 

  10.   file_permission = "0600"
    11. 

  11. }
    12. 

  12. 

  13. resource "random_string" "firezone_admin_password" {
    14. 

  14.   length  = 12
    15. 

  15.   upper   = true
    16. 

  16.   lower   = true
    17. 

  17.   numeric  = true
    18. 

  18.   special = true
    19. 

  19.   override_special = "!@%&*()-_=+[]{}<>:?"
    20. 

  20. }
    21. 

  21. 

  22. data "yandex_compute_image" "container-optimized-image" {
    23. 

  23.   family = "container-optimized-image"
    24. 

  24. }
    25. 

  25. 

  26. // Create firezone control server
    27. 

  27. resource "yandex_compute_instance" "firezone" {
    28. 

  28.   folder_id = var.values.folder_id
    29. 

  29.   name        = "firezone"
    30. 

  30.   hostname    = "firezone"
    31. 

  31.   platform_id = "standard-v3"
    32. 

  32.   zone        = "ru-central1-a"
    33. 

  33. 

  34.   resources {
    35. 

  35.     cores  = 2
    36. 

  36.     memory = 4
    37. 

  37.   }
    38. 

  38. 

  39.   boot_disk {
    40. 

  40.     initialize_params {
    41. 

  41.       image_id = data.yandex_compute_image.container-optimized-image.id
    42. 

  42.       type     = "network-ssd"
    43. 

  43.       size     = 30
    44. 

  44.     }
    45. 

  45.   }
    46. 

  46. 

  47.   network_interface {
    48. 

  48.     subnet_id  = yandex_vpc_subnet.firezone-subnet.id
    49. 

  49.     ip_address = "${cidrhost(var.values.firezone.subnet, 100)}"
    50. 

  50.     nat                = true
    51. 

  51.     nat_ip_address = yandex_vpc_address.firezone-public-ip.external_ipv4_address.0.address
    52. 

  52.     security_group_ids = [yandex_vpc_security_group.firezone-sg.id] 
    53. 

  53.   }
    54. 

  54. 

  55.   metadata = {
    56. 

  56.     user-data = templatefile("${path.module}/templates/cloud-init_firezone.tpl.yaml",
    57. 

  57.     {
    58. 

  58.       firezone_ssh_key_pub = "${chomp(tls_private_key.ssh.public_key_openssh)}",
    59. 

  59.       firezone_vm_username = var.values.firezone.vm_username
    60. 

  60.       firezone_admin_email = var.values.firezone.admin_email
    61. 

  61.       firezone_admin_password = "${random_string.firezone_admin_password.result}"
    62. 

  62.       firezone_url = "https://${var.values.firezone.subdomain}.${var.values.domain}"
    63. 

  63.       version = var.values.firezone.version
    64. 

  64.       db_host = yandex_mdb_postgresql_cluster.pg_cluster.host.0.fqdn 
    65. 

  65.       db_name = var.values.postgres.db_firezone_name
    66. 

  66.       db_user = var.values.postgres.db_user
    67. 

  67.       db_pass = random_string.postgres_user_password.result
    68. 

  68.       wg_port = var.values.firezone.wg_port
    69. 

  69.     })
    70. 

  70.   }
    71. 

  71.   depends_on = [yandex_mdb_postgresql_database.pg_firezone_db]
    72. 

  72. }
    73. 

  73.